System and method for execution of a secured environment initialization instruction

ABSTRACT

A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

FIELD

The present invention relates generally to microprocessor systems, andmore specifically to microprocessor systems that may operate in atrusted or secured environment.

BACKGROUND

The increasing number of financial and personal transactions beingperformed on local or remote microcomputers has given impetus for theestablishment of “trusted” or “secured” microprocessor environments. Theproblem these environments try to solve is that of loss of privacy, ordata being corrupted or abused. Users do not want their private datamade public. They also do not want their data altered or used ininappropriate transactions. Examples of these include unintentionalrelease of medical records or electronic theft of funds from an on-linebank or other depository. Similarly, content providers seek to protectdigital content (for example, music, other audio, video, or other typesof data in general) from being copied without authorization.

Existing trusted systems may utilize a complete closed set of trustedsoftware. This method is relatively simple to implement, but has thedisadvantage of not allowing the simultaneous use of common,commercially available operating system and application software. Thisdisadvantage limits the acceptance of such a trusted system.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, in the figures of the accompanying drawings and in whichlike reference numerals refer to similar elements and in which:

FIG. 1 is a diagram of an exemplary software environment executing in amicroprocessor system.

FIG. 2 is a diagram of certain exemplary trusted or secured softwaremodules and exemplary system environment, according to one embodiment ofthe present invention.

FIG. 3 is a diagram of an exemplary trusted or secured softwareenvironment, according to one embodiment of the present invention.

FIG. 4A is a schematic diagram of an exemplary microprocessor systemadapted to support the secured software environment of FIG. 3, accordingto one embodiment of the present invention.

FIG. 4B is a schematic diagram of an exemplary microprocessor systemadapted to support the secured software environment of FIG. 3, accordingto an alternate embodiment of the present invention.

FIG. 5 is a schematic diagram of an exemplary microprocessor systemadapted to support the secured software environment of FIG. 3, accordingto an alternate embodiment of the present invention.

FIG. 6 is a time line drawing of the execution of software components,according to one embodiment of the present invention.

FIG. 7 is a flowchart of software and other process blocks, according toone embodiment of the present invention.

DETAILED DESCRIPTION

The following description describes techniques for initiating a trustedor secured environment in a microprocessor system. In the followingdescription, numerous specific details such as logic implementations,software module allocation, encryption techniques, bus signalingtechniques, and details of operation are set forth in order to provide amore thorough understanding of the present invention. It will beappreciated, however, by one skilled in the art that the invention maybe practiced without such specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure the invention.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation. The invention is disclosed in the form of amicroprocessor system. However, the invention may be practiced in otherforms of processor such as a digital signal processor, a minicomputer,or a mainframe computer.

Referring now to FIG. 1, a diagram of an exemplary software environmentexecuting in a microprocessor system is shown. The software shown inFIG. 1 is not trusted (untrusted). When operating in a high privilegelevel, the size and constant updating of the operating system 150 makeit very difficult to perform any trust analysis in a timely manner. Muchof the operating system sits within privilege ring zero (0), the highestlevel of privilege. The applications 152, 154, and 156 have much reducedprivilege and typically reside within privilege ring three (3). Theexistence of the differing privilege rings and the separation of theoperating system 150 and applications 152, 154 and 156 into thesediffering privileged rings would appear to allow operating of thesoftware of FIG. 1 in a trusted mode, based on making a decision totrust the facilities provided by the operating system 150. However, inpractice making such a trust decision is often impractical. Factors thatcontribute to this problem include the size (number of lines of code) ofthe operating system 150, the fact that the operating system 150 may bethe recipient of numerous updates (new code modules and patches) and thefact that the operating system 150 may also contain code modules such asdevice drivers supplied by parties other than the operating systemdeveloper. Operating system 150 may be a common one such as Microsoft®Windows®, Linux, or Solaris®, or may be any other appropriate known orotherwise available operating system. The particular types or names ofapplications or operating systems run or running are not critical.

Referring now to FIG. 2, a diagram of certain exemplary trusted orsecured software modules and exemplary system environment 200 is shown,according to one embodiment of the present invention. In the FIG. 2embodiment, processor 202, processor 212, processor 222, and optionalother processors (not shown) are shown as separate hardware entities. Inother embodiments, the number of processors may differ, as may theboundary of various components and functional units. In some embodimentsthe processors may be replaced by separate hardware execution threads or“logical processors” running on one or more physical processors.

Processors 202, 212, 222 may contain certain special circuits or logicelements to support secure or trusted operations. For example, processor202 may contain secure enter (SENTER) logic 204 to support the executionof special SENTER instructions that may initiate trusted operations.Processor 202 may also contain bus message logic 206 to support specialbus messages on system bus 230 in support of special SENTER operations.In alternate embodiments, memory control functions of chipset 240 may beallocated to circuits within the processors, and for multiple processorsmay be included on a single die. In these embodiments, special busmessages may also be sent on busses internal to the processors. The useof special bus messages may increase the security or trustability of thesystem for several reasons. Circuit elements such as processors 202,212, and 222 or chipset 240 may only issue or respond to such messagesif they contain the appropriate logic elements of embodiments of thepresent disclosure. Therefore successful exchange of the special busmessages may help ensure proper system configuration. Special busmessages may also permit activities that should normally be prohibited,such as resetting a platform configuration register 278. The ability ofpotentially hostile untrusted code to spy on certain bus transactionsmay be curtailed by allowing special bus messages to be issued only inresponse to special security instructions.

Additionally, processor 202 may contain secure memory 208 to supportsecure initialization operations. In one embodiment secure memory 208may be an internal cache of processor 202, perhaps operating in aspecial mode. In alternate embodiments secure memory 208 may be specialmemory. Other processors such as processor 212 and processor 222 mayalso include SENTER logic 214, 224, bus message logic 216, 226, andsecure memory 218, 228.

A “chipset” may be defined as a group of circuits and logic that supportmemory and input/output (I/O) operations for a connected processor orprocessors. Individual elements of a chipset may be grouped together ona single chip, a pair of chips, or dispersed among multiple chips,including processors. In the FIG. 2 embodiment, chipset 240 may includecircuitry and logic to support memory and I/O operations to supportprocessors 202, 212, and 222. In one embodiment, chipset 240 mayinterface with a number of memory pages 250 through 262 and adevice-access page table 248 containing control information indicatingwhether non-processor devices may access the memory pages 250 through262. Chipset 240 may include device-access logic 247 that may permit ordeny direct memory access (DMA) from I/O devices to selected portions ofthe memory pages 250 through 262. In some embodiment the device accesslogic 247 may contain all relevant information required to permit ordeny such accesses. In other embodiments, the device access logic 247may access such information held in the device access page table 248.The actual number of memory pages is not important and will changedepending upon system requirements. In other embodiments the memoryaccess functions may be external to chipset 240. The functions ofchipset 240 may further be allocated among one or more physical devicesin alternate embodiments.

Chipset 240 may additionally include its own bus message logic 242 tosupport special bus messages on system bus 230 in support of specialSENTER operations. Some of these special bus messages may includetransferring the contents of a key register 244 to a processor 202, 212,or 222, or permitting a special ALL_JOINED flag 274 to be examined by aprocessor 202, 212, or 222. Additional features of the bus message logic242 may be to register bus activity by processors in an “EXISTS”register 272 and store certain special bus message activity byprocessors in a “JOINS” register 272. Equality of contents of EXISTSregister 272 and JOINS register 272 may be used to set the specialALL_JOINED flag 274 to indicate all processors in the system areparticipating in the secure enter process.

Chipset 240 may support standard I/O operations on I/O busses such asperipheral component interconnect (PCI), accelerated graphics port(AGP), universal serial bus (USB), low pin count (LPC) bus, or any otherkind of I/O bus (not shown). An interface 290 may be used to connectchipset 240 with token 276, containing one or more platformconfiguration registers (PCR) 278, 279. In one embodiment, interface 290may be the LPC bus (Low Pin Count (LPC) Interface Specification, IntelCorporation, rev. 1.0, 29 Dec. 1997) modified with the addition ofcertain security enhancements. One example of such a securityenhancement would be a locality confirming message, utilizing apreviously-reserved message header and address information targeting aplatform configuration register (PCR) 278 within token 276. In oneembodiment, token 276 may contain special security features, and in oneembodiment may include the trusted platform module (TPM) 281 disclosedin the Trusted Computing Platform Alliance (TCPA) Main Specification,version 1.1a, 1 Dec. 2001, issued by the TCPA (available at the time offiling of the present application at www.trustedpc.com).

Two software components identified in system environment 200 are aSecure Virtual Machine Monitor (SVMM) 282 module and a SecureInitialization Authenticated Code (SINIT-AC) 280 module. The SVMM 282module may be stored on a system disk or other mass storage, and movedor copied to other locations as necessary. In one embodiment, prior tobeginning the secure launch process SVMM 282 may be moved or copied toone or more memory pages 250 through 262. Following the secure enterprocess, a virtual machine environment may be created in which the SVMM282 may operate as the most privileged code within the system, and maybe used to permit or deny direct access to certain system resources bythe operating system or applications within the created virtualmachines.

Some of the actions required by the secure enter process may be beyondthe scope of simple hardware implementations, and may insteadadvantageously use a software module whose execution can be implicitlytrusted. In one embodiment, these actions may be performed by SecureInitialization (SINIT) code. Three exemplary actions are identifiedhere, but these actions should not be taken to be limiting. One actionmay require that various controls representing critical portions of thesystem configuration be tested to ensure that the configuration supportsthe correct instantiation of the secure environment. In one embodiment,one required test may be that the memory controller configurationprovided by chipset 240 does not permit two or more different system busaddresses to touch the same location within memory pages 250 through262. A second action may be to configure the device-access page table248 and device-access logic 247 to protect those memory pages used bythe memory-resident copy of SVMM 282 from interference by non-processordevices. A third action may be to calculate and register the SVMM 282module's identity and transfer system control to it. Here “register”means placing a trust measurement of SVMM 282 into a register, forexample into PCR 278 or into PCR 279. When this last action is taken,the trustworthiness of the SVMM 282 may be inspected by a potentialsystem user.

The SINIT code may be produced by the manufacturer of the processors orof the chipsets. For this reason, the SINIT code may be trusted to aidin the secure launch of chipset 240. In order to distribute the SINITcode, in one embodiment a well-known cryptographic hash is made of theentire SINIT code, producing a value known as a “digest”. One embodimentproduces a 160-bit value for the digest. The digest may then beencrypted by a private key, held in one embodiment by the manufacturerof the processor, to form a digital signature. When the SINIT code isbundled with the corresponding digital signature, the combination may bereferred to as SINIT authenticated code (SINIT-AC) 280. Copies of theSINIT-AC 280 may be later validated as discussed below.

The SINIT-AC 280 may be stored on system disk or other mass storage orin a fixed media, and moved or copied to other locations as necessary.In one embodiment, prior to beginning the secure launch process SINIT-AC280 may be moved or copied into memory pages 250-262 to form amemory-resident copy of SINIT-AC.

Any logical processor may initiate the secure launch process, and maythen be referred to as the initiating logical processor (ILP). In thepresent example processor 202 becomes the ILP, although any of theprocessors on system bus 230 could become the ILP. Neithermemory-resident copy of SINIT-AC 280 nor memory-resident copy of SVMM282 may be considered trustworthy at this time since, among otherreasons, the other processors or the DMA devices may overwrite memorypages 250-262.

The ILP (processor 202) then executes a special instruction. Thisspecial instruction may be referred to as a secured enter (SENTER)instruction, and may be supported by SENTER logic 204. Execution of theSENTER instruction may cause the ILP (processor 202) to issue specialbus messages on system bus 230, and then wait considerable timeintervals for subsequent system actions. After execution of SENTERbegins, one of these special bus messages, SENTER BUS MESSAGE, isbroadcast on system bus 230. Those logical processors other than theILP, which may be referred to as responding logical processors (RLPs),respond to the SENTER BUS MESSAGE with an internal non-maskable event.In the present example, the RLPs include processor 212 and processor222. The RLPs must each terminate current operations, send a RLPacknowledge (ACK) special bus message on system bus 230, and then entera wait state. It should be noted that the ILP also sends its own ACKmessage over system bus 230.

The chipset 240 may contain a pair of registers, “EXISTS” register 270and “JOINS” register 272. These registers may be used to verify that theILP and all of the RLPs are responding properly to the SENTER BUSMESSAGE. In one embodiment, chipset 240 may keep track of alloperational logical processors in the system by writing a “1” into thecorresponding bit of the EXISTS register 270 on any system bustransaction made by that logical processor. In this embodiment, eachtransaction on system bus 230 must contain an identification fieldcontaining the logical processor identifier. In one embodiment, thisconsists of a physical processor identifier and an identifier for thehardware execution thread within each physical processor. For example,if a thread executing on processor 222 caused any bus transactions onsystem bus 230, chipset 240 would see this logical processor identifierwithin the transaction and write a “1” into the corresponding location286 within EXISTS register 270. During the secure launch process, whenthat same thread on processor 222 sends its ACK message on system bus230, the chipset 240 would also see this and could write a “1” into thecorresponding location 288 in the JOINS register 272. (In the FIG. 2example, each physical processor is shown with only a single threadexecuting for clarity. In alternate embodiments the physical processorsmay support multiple threads, and thereby multiple logical processors.)When the contents of the JOINS register 272 matches the contents of theEXISTS register 270, then chipset 240 can set an ALL_JOINED flag 246indicating that all processors have properly responded to the SENTER BUSMESSAGE.

In another embodiment, EXISTS register 270 and JOINS register 272 maycontinue to aid security subsequent to the setting of the ALL_JOINEDflag 246. During the time subsequent to the setting of the ALL_JOINEDflag 246 until the end of trusted or secure operations, chipset 240 maycontinue to monitor and compare bus cycles_against the JOINS register272. During this period, if chipset 240 ever sees a bus transaction froma logical processor that is not currently identified in JOINS register272, then chipset 240 may presume that this logical processor hassomehow “appeared” late. This would imply that such a logical processordid not participate in the secure launch process, and therefore couldrepresent an attacker (security threat). In such circumstances, chipset240 may respond appropriately to keep this attacker out of the securedenvironment. In one embodiment, chipset 240 may force a system reset insuch circumstances. In a second embodiment, similar detection of a“late” processor may be achieved by each logical processor asserting aspecial reserved signal on the system bus on every transaction followingthe assertion of the ACK bus message. In this embodiment, following thesetting of the ALL_JOINED flag 246 if the chipset 240 observes a bustransaction initiated by a processor without the special signalasserted, then chipset 240 may again presume that this logical processorhas somehow appeared “late”, and may represent an attacker.

After issuing the SENTER BUS MESSAGE, the ILP (processor 202) polls theALL_JOINED flag 246 to see when and if all processors have properlyresponded with their ACKs. If the flag 246 is never set, severalimplementations are possible. A watchdog timer in the ILP or chipset orelsewhere may cause a system reset. Alternatively, the system may hangrequiring operator reset. In either case the assertion of a secureenvironment is protected (in that the secure launch process does notcomplete unless all processors participate), although the system may notcontinue to function. In normal operations, after a short time theALL_JOINED flag 246 is set, and the ILP may be assured that all otherlogical processors have entered a wait state.

When the ALL_JOINED flag 246 is set, the ILP (processor 202) may moveboth a copy of SINIT-AC 280 and key 284 into secure memory 208 for thepurpose of authenticating and subsequently executing the SINIT codeincluded in SINIT-AC 280. In one embodiment, this secure memory 208 maybe an internal cache of the ILP (processor 202), perhaps operating in aspecial mode. Key 284 represents the public key corresponding to theprivate key used to encrypt the digital signature included in theSINIT-AC 280 module, and is used to verify the digital signature andthereby authenticate the SINIT code. In one embodiment, key 284 mayalready be stored in the processor, perhaps as part of the SENTER logic204. In another embodiment, key 284 may be stored in a read-only keyregister 244 of chipset 240, which is read by the ILP. In yet anotherembodiment, either the processor or the chipset's key register 244 mayactually hold a cryptographic digest of key 284, where key 284 itself isincluded in the SINIT-AC 280 module. In this last embodiment, the ILPreads the digest from key register 244, calculates an equivalentcryptographic hash over the key 284 embedded in SINIT-AC 280, andcompares the two digests to ensure the supplied key 284 is indeedtrusted.

A copy of SINIT-AC and a copy of a public key may then exist withinsecure memory 208. The ILP may now validate the copy of SINIT-AC bydecrypting the digital signature included in the copy of the SINIT-ACusing the copy of a public key. This decryption produces an originalcopy of a cryptographic hash's digest. If a newly-calculated digestmatches this original digest then the copy of SINIT-AC and its includedSINIT code may be considered trustable.

The ILP may now issue another special bus message, SENTER CONTINUEMESSAGE, via system bus 230 signaling the waiting RLP's (processor 212,processor 222) and chipset 240 that secured operations are going to beinitiated. The ILP may now register the unique identity of the SINIT-ACmodule by writing the SINIT-AC module's cryptographic digest value to aplatform configuration register 272 in the security token 276, asoutlined below. The ILP's execution of its SENTER instruction may nowterminate by transferring execution control to the trusted copy of theSINIT code held within the ILP's secure memory 208. The trusted SINITcode may then perform its system test and configuration actions and mayregister the memory-resident copy of SVMM, in accordance with thedefinition of “register” above.

Registration of the memory-resident copy of SVMM may be performed inseveral manners. In one embodiment, the SENTER instruction running onthe ILP writes the calculated digest of SINIT-AC into PCR 278 within thesecurity token 276. Subsequently, the trusted SINIT code may write thecalculated digest of the memory-resident SVMM to the same PCR 278 oranother PCR 279 within the security token 276. If the SVMM digest iswritten to the same PCR 278, the security token 276 hashes the originalcontents (SINIT digest) with the new value (SVMM digest) and writes theresult back into the PCR 278. In embodiments where the first(initializing) write to PCR 278 is limited to the SENTER instruction,the resulting digest may be used as a root of trust for the system.

Once the trusted SINIT code has completed its execution, and hasregistered the identity of the SVMM in a PCR, the SINIT code maytransfer ILP execution control to the SVMM. In a typical embodiment, thefirst SVMM instructions executed by the ILP may represent aself-initialization routine for the SVMM. The ILP may in one embodimentissue individual RLP JOIN MESSAGE special bus messages to each RLP,causing each of the RLPs to join in operations under the supervision ofthe now-executing copy of SVMM. From this point onwards, the overallsystem is operating in trusted mode as outlined in the discussion ofFIG. 3 below.

Referring now to FIG. 3, a diagram of an exemplary trusted or securedsoftware environment is shown, according to one embodiment of thepresent invention. In the FIG. 3 embodiment, trusted and untrustedsoftware may be loaded simultaneously and may execute simultaneously ona single computer system. A SVMM 350 selectively permits or preventsdirect access to hardware resources 380 from one or more untrustedoperating systems 340 and untrusted applications 310 through 330. Inthis context, “untrusted” does not necessarily mean that the operatingsystem or applications are deliberately misbehaving, but that the sizeand variety of interacting code makes it impractical to reliably assertthat the software is behaving as desired, and that there are no virusesor other foreign code interfering with its execution. In a typicalembodiment, the untrusted code might consist of the normal operatingsystem and applications found on today's personal computers.

SVMM 350 also selectively permits or prevents direct access to hardwareresources 380 from one or more trusted or secure kernels 360 and one ormore trusted applications 370. Such a trusted or secure kernel 360 andtrusted applications 370 may be limited in size and functionality to aidin the ability to perform trust analysis upon it. The trustedapplication 370 may be any software code, program, routine, or set ofroutines which is executable in a secure environment. Thus, the trustedapplication 370 may be a variety of applications, or code sequences, ormay be a relatively small application such as a Java applet.

Instructions or operations normally performed by operating system 340 orkernel 360 that could alter system resource protections or privilegesmay be trapped by SVMM 350, and selectively permitted, partiallypermitted, or rejected. As an example, in a typical embodiment,instructions that change the processor's page table that would normallybe performed by operating system 340 or kernel 360 would instead betrapped by SVMM 350, which would ensure that the request was notattempting to change page privileges outside the domain of its virtualmachine.

Referring now to FIG. 4A, one embodiment of a microprocessor system 400adapted to support the secured software environment of FIG. 3 is shown.CPU A 410, CPU B 414, CPU C 418, and CPU D 422 may be configured withadditional microcode or logic circuitry to support the execution ofspecial instructions. In one embodiment, this additional microcode orlogic circuitry may be the SENTER logic 204 of FIG. 2. These specialinstructions may support the issuance of special bus messages on systembus 420 that may enable the proper synchronization of the processorswhile launching the secure environment. In one embodiment, the issuanceof special bus messages may be supported by circuitry such as the busmessage logic 206 of FIG. 2. Similarly chipset 430 may be similar tochipset 240 and may support the above-mentioned special cycles on systembus 420. The number of physical processors may vary upon theimplementation of a particular embodiment. In one embodiment, theprocessors may be Intel® Pentium® class microprocessors. Chipset 430 mayinterface with mass storage devices such as fixed media 444 or removablemedia 448 via PCI bus 446, or, alternately, via USB 442, an integratedcontroller electronics (IDE) bus (not shown), a small computer systemsinterconnect (SCSI) bus (not shown), or any other I/O busses. The fixedmedia 444 or removable media 448 may be magnetic disks, magnetic tape,magnetic diskettes, magneto-optical drives, CD-ROM, DVD-ROM, Flashmemory cards, or many other forms of mass storage.

In the FIG. 4A embodiment, the four processors CPU A 410, CPU B 414, CPUC 418, and CPU D 422 are shown as four separate hardware entities. Inother embodiments, the number of processors may differ. Indeed, thephysically discrete processors may be replaced by separate hardwareexecution threads running on one or more physical processors. In thelatter case these threads possess many of the attributes of additionalphysical processors. In order to have a generic expression to discussusing any mixture of multiple physical processors and multiple threadsupon processors, the expression “logical processor” may be used todescribe either a physical processor or a thread operating in one ormore physical processors. Thus, one single-threaded processor may beconsidered a logical processor, and multi-threaded or multi-coreprocessors may be considered multiple logical processors.

In one embodiment, chipset 430 interfaces with a modified LPC bus 450.Modified LPC bus 450 may be used to connect chipset 430 with a securitytoken 454. Token 454 may in one embodiment include the TPM 471envisioned by the Trusted Computing Platform Alliance (TCPA).

Referring now to FIG. 4B, an alternate embodiment of a microprocessorsystem 490 adapted to support the secured software environment of FIG. 3is shown. Differing from the FIG. 4A embodiment, CPU A 410 and CPU B 414may be connected to chipset 428 with system bus A 402 whereas CPU C 418and CPU D 422 may be connected to chipset 428 with system bus B 404. Inother embodiments more than two system busses may be utilized. Inanother alternative embodiment, point-to-point busses may be used.Special instructions may support the issuance of special bus messages onsystem bus A 402 and system bus B 404 that may enable the propersynchronization of the processors while launching the secureenvironment. In one embodiment, the issuance of special bus messages maybe supported by circuitry such as the bus message logic 206 of FIG. 2.

In one embodiment, chipset 428 is responsible for maintainingconsistency and coherency across system bus A 402 and system bus B 404.If a bus message, standard or special, is sent across system bus A 402,chipset 428 reflects that message (when appropriate) onto system bus B404, and vice-versa.

In an alternate embodiment, chipset 428 treats system bus A 402 andsystem bus B 404 as independent subsystems. Any special bus messagesissued on system bus A 402 apply only to processors on that bus:similarly, special bus messages issued on system bus B 404 apply only toprocessors on that bus. Any protected memory that is established withrespect to system bus A 402 is only accessible to processors connectedto system bus A 402, and the processors on system bus B 404 may betreated as untrusted devices. To gain access to any protected memoryestablished for CPU A 410 and CPU B 414 on system bus A 402, processorsCPU C 418 and CPU D 422 on system bus B 404 must perform their ownSENTER process, creating a registered environment equal to that createdfor the processors on system bus A 402.

Referring now to FIG. 5, a schematic diagram of an exemplarymicroprocessor system 500 adapted to support the secured softwareenvironment of FIG. 3 is shown, according to an alternate embodiment ofthe present invention. Differing from the FIG. 4A embodiment, eachprocessor (for example, CPU A 510) may include certain chipset functions(for example, chipset functions 593) that, for example, perform memorycontroller functions and device access logic functions. These chipsetfunctions thereby allow the direct connection of memory (for example,memory A 502) to the processor. Other chipset functions may remain in aseparate chipset 530. Special bus messages may be issued across systembus 520.

Each processor may make indirect accesses to memory connected to otherprocessors: however, these accesses may be considerably slower whencompared to accesses to a processor's own memory. Prior to the start ofthe SENTER process, software may move copies of SINIT-AC 566 and SVMM574 from fixed media 544 into local memory 504, forming copy of SINIT-AC556 and copy of SVMM 572. In one embodiment, the memory 504 may beselected because it is directly accessed by the processor intended to bethe ILP, in the FIG. 5 example this is CPU B 514. Alternatively, theSINIT-AC 566 and SVMM 574 copies may be placed in other memoriesattached to other (non-ILP) processors, so long as the ILP 514 has theability to access those memories. CPU B ILP 514 begins the secure enterprocess by issuing the SENTER instruction, as already described in FIG.2, and with similar consequences and bus cycles issued. Chipset 530 mayutilize EXISTS register 576, JOINS register 580, and ALL_JOINED flag 584as described above in connection with FIG. 2 to determine whether allprocessors have properly responded to the SENTER BUS MESSAGE and signalthis information to the ILP. The ILP (CPU B 514) may again move thememory-resident copy of SINIT-AC 556 into secure memory 560, along witha copy of a public key 564. Upon verification and registration ofSINIT-AC 556, ILP may then continue to verification and registration ofthe memory-resident copy of SVMM 572.

Referring now to FIG. 6, a time line drawing of various operations isshown, according to one embodiment of the present invention. Thetimeline of FIG. 6 shows the overall schedule of the operationsdiscussed in connection with the exemplary system discussed inconnection with FIG. 2 above. When software decides that secure ortrusted operations are desired, at time 610 any software locates andmakes a copy of SINIT-AC 280 and SVMM 282 available to a subsequentSENTER instruction. In this example, software loads a copy of SINIT-AC280 and a copy of SVMM 282 into one or more memory pages 250-262. Oneprocessor, in the present example processor 202, is then selected to bethe ILP, which issues the SENTER instruction at time 612. At time 614the ILP's SENTER instruction issues the SENTER BUS MESSAGE 616. The ILPthen issues its own SENTER ACK 608 at time 618 prior to entering await-for-chipset-flag state at time 628.

Each RLP, such as processor 222, respond to the SENTER BUS MESSAGE 616by completing the current instruction during time 620. The RLP thenissues its SENTER ACK 622 and then enters a state 634 where it waits foran SENTER CONTINUE MESSAGE.

The chipset 240 spends time 624 setting the JOINS register 272responsive to the SENTER ACK messages observed on system bus 230. Whenthe JOINS register 272 contents matches the EXISTS register 270contents, chipset 240 sets the ALL_JOINED flag 246 at time 626.

During this time, the ILP may remain in a loop while polling theALL_JOINED flag 246. When the ALL_JOINED flag 246 is set, and ILPdetermines that the ALL_JOINED flag 246 is set at time 630, the ILP maythen issue the SENTER CONTINUE MESSAGE during time 632. When the SENTERCONTINUE MESSAGE is broadcast on system bus 230 at time 636, the RLPsmay enter a wait-for-join state. For example, the RLP of processor 222enters a wait-for -join state during time period 638.

Upon issuing the SENTER CONTINUE MESSAGE, the ILP may then (in timeperiod 640) bring the public key of key register 244 of chipset 240 anda copy of SINIT-AC into its secure memory 208 to form a copy of the keyand a copy of SINIT-AC. In another embodiment, key register 244 maycontain a digest of the public key, and the actual public key may beincluded in, or with, the SINIT-AC. Upon authenticating the copy ofSINIT-AC as described above in connection with FIG. 2, the ILP may thenactually execute the copy of SINIT-AC within secure memory 208.

After the copy of SINIT-AC within secure memory 208 begins execution, itthen (during time period 640) validates and registers thememory-resident copy of SVMM. After the copy of SVMM is registered inthe PCR 278 of security token 276, the memory-resident copy of SVMMitself begins execution. At this time, during ongoing time period 650,SVMM operations are established in the ILP.

Among the first things that the ILP SVMM operation does is issueindividual RLP JOIN MESSAGES on the system bus 230. An example is aprocessor 222 JOIN MESSAGE 644. This message may include a location inmemory at which the RLP processor 222 may join in execution of theregistered memory-resident copy of SVMM. Alternatively, the ILP SVMMoperations may have registered a memory location in a predeterminedlocation in the chipset or memory, and upon receiving the JOIN MESSAGEthe RLP retrieves its starting address from this location. Afterreceiving the processor 222 JOIN MESSAGE, and determining its startingaddress, during time period 646 the RLP processor 222 jumps to thislocation and joins execution of the registered memory-resident copy ofthe SVMM.

After all the RLPs have joined the registered memory-resident copy ofthe SVMM, secured operations are established throughout themicrocomputer system 200.

Referring now to FIG. 7, a flowchart of software and other processblocks is shown, according to one embodiment of the present invention.For the sake of clarity FIG. 7 only shows process blocks for a singlerepresentative RLP. In other embodiments there may be several respondinglogical processors.

The process 700 begins at block 710 when a logical processor makes acopy of the SINIT-AC and SVMM modules available for access by asubsequent SENTER instruction. In this example, in block 712 the ILPloads the SINIT-AC and SVMM code from mass storage into physical memory.In alternative embodiments, any logical processor may do so, not justthe ILP. A processor becomes the ILP by executing the SENTERinstruction, as identified in block 714. In block 716, the ILP SENTERinstruction issues an SENTER BUS MESSAGE in block 716. The ILP then, inblock 718, issues its own SENTER ACK message to the chipset. The ILPthen enters a wait state, shown as decision block 720, and waits for thechipset to set its ALL_JOINED flag.

After each RLP receives the SENTER BUS MESSAGE in block 770, it haltsexecution with the end of the current instruction, and then in block 772issues its own SENTER ACK. Each RLP then enters a wait state, shown asdecision block 774, and waits for a SENTER CONTINUE MESSAGE to arrivefrom the ILP.

The chipset sets the corresponding bits in the JOINS register whenSENTER ACK messages are received. When the JOINS register contentsequals the EXISTS register contents, the chipset sets its ALL_JOINEDflag, signaling the ILP to proceed from decision block 720.

The ILP, upon exiting decision block 720 on the YES path, then issues aSENTER CONTINUE MESSAGE in block 722. This signals each RLP to proceedfrom decision block 774. Each RLP then enters a second wait state, shownas decision block 776, and waits for a SENTER JOIN MESSAGE.

Meanwhile the ILP, in block 724, moves the public key of the chipset andthe memory-resident copy of SINIT-AC into its own secure memory forsecure execution. The ILP, in block 726, uses the key to validate thesecure-memory-resident copy of SINIT-AC, and then executes it. Theexecution of SINIT-AC may perform tests of the system configuration andthe SVMM copy, then registers the SVMM identity, and finally begins theexecution of SVMM in block 728. As part of actions performed in block728, the ILP SINIT code may configure device-access page table 248 anddevice-access logic 247 of memory and chipset to protect those memorypages used by the memory-resident copy of SVMM 282 from interference bynon-processor devices, as shown in block 754.

After the ILP begins execution under the control of SVMM, in block 730the ILP sends an individual SENTER JOIN MESSAGE to each RLP. Afterissuing the SENTER JOIN MESSAGE, the ILP then in block 732 begins SVMMoperations.

The receipt of the SENTER JOIN MESSAGE causes each RLP to leave the waitstate represented by decision block 776 along the YES path, and beginSVMM operations in block 780. The SENTER JOIN MESSAGE may contain theSVMM entry point the RLP branch to when joining SVMM operations.Alternatively, the ILP SVMM code may register the appropriate RLP entrypoint in a system location (for example, in the chipset), to beretrieved by the RLP upon receipt of the SENTER JOIN MESSAGE.

While various embodiments disclosed include two or more processors(either logical or physical processors), it should be understood thatsuch multi-processor and/or multi-threaded systems are described in moredetail to explain the added complexity associated with securing a systemwith multiple logical or physical processors. An embodiment also likelyto be advantageous in less complex system may use only one processor. Insome cases, the one physical processor may be multi-threading andtherefore may include multiple logical processors (and accordingly havean ILP and an RLP as described). In other cases, however, asingle-processor, single-threaded system may be used, and still utilizedisclosed secure processing techniques. In such cases, there may be noRLP; however, the secure processing techniques still operate to reducethe likelihood that data can be stolen or manipulated in an unauthorizedmanner.

In the foregoing specification, the invention has been described withreference to specific exemplary embodiments thereof. It will, however,be evident that various modifications and changes may be made theretowithout departing from the broader spirit and scope of the invention asset forth in the appended claims. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense.

1. A computing system comprising: a storage device to store a firstsecure module and a second secure module; and a processor coupled to thestorage device, the processor to establish a root of trust usable toensure that subsequent operations can be trusted, wherein the processoris to execute the first secure module to initialize a secure processingenvironment and authenticate the second secure module, and wherein theprocessor is to execute the second secure module after beingauthenticated by the first secure module and after the root of trust hasbeen established, the second secure module to prevent direct access tohardware resources in the secure processing environment from anuntrusted operating system.
 2. The computing system of claim 1, furthercomprising a memory device coupled to the processor.
 3. The computingsystem of claim 1, further comprising a Universal Serial Bus (USB)interface coupled to the processor.
 4. The computing system of claim 1,further comprising a removable media interface coupled to the processor.